Criticial Insights from ECHR and the Turkish DPA

I. Introduction

In a world where the digital realm has become deeply intertwined with our daily lives, the importance of data protection cannot be overstated. Turkey, as a part of its commitment to safeguarding its citizens' rights, has enacted stringent regulations regarding the processing of personal and biometric data. This article delves deep into Turkey's legal landscape concerning data protection and especailly the usage of biometric data in Turkey, providing a comprehensive overview for anyone navigating this intricate subject.

II. Applicable Legislation in Turkey for Data and Biometric Data Processing:/strong>

The primary legislation governing the processing of personal data in Turkey is the Personal Data Protection Law (PDPL), numbered 6698. The PDPL aims to protect the fundamental rights and freedoms of individuals, particularly the right to privacy, concerning the processing of personal data.

Under the PDPL, personal data refers to any information relating to an identified or identifiable natural person. When this personal data reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processes genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, it is classified as 'specialized personal data.' Biometric data, which has gained significance in various sectors due to technological advancements, falls under this special category, mandating stricter processing rules.

The PDPL is complemented by various secondary regulations and decisions made by the Personal Data Protection Board (The Board). The Board plays a crucial role in interpreting the PDPL and providing guidance on its implementation.

III. Understanding Personal Data: A Deep Dive into Turkey's PDPL Article 3(a) and 6(1)

Within the framework of Turkey's Personal Data Protection Law (PDPL), there are distinct classifications for data. At the heart of these definitions lies what's termed as 'personal data', as defined in Article 3(a) of the PDPL. This data encompasses any information relating to an identified or identifiable natural person, covering a broad spectrum from basic details like names and addresses to more technical data like IP addresses.

However, there's a subset of personal data that demands greater attention due to its sensitivity – the 'special categories of personal data'. Article 6(1) of the PDPL delves deeper into this, highlighting data types that reveal racial or ethnic origin, political stances, religious or philosophical beliefs, and even trade union memberships. A standout in this category is biometric data. With its unique capability of identifying individuals, biometric data's inclusion under this category underscores its significance and sensitivity.

IV. Navigating Data Rights and Obligations in Turkey: Insights from PDPL Articles 11 and 12

The PDPL is not just about defining data; it's also a guiding light on the rights of data subjects and the obligations of those who control the data. Article 11 of the PDPL notes the rights of data subjects. It empowers individuals to know if their data has been processed, to understand the purpose behind such processing, and to be informed about third parties involved in such transactions, be it domestic or international.

Furthermore, individuals can request rectification of their data if it's processed inaccurately, and they have the right to object to any results emerging from automated system analyses of their data. If there's any infringement, the law grants them the right to claim damages.

On the flip side, data controllers have their set of obligations outlined in Article 12 of the PDPL. They must ensure the security of personal data, keep data subjects informed about any breaches, and register with the Data Controllers' Registry. Moreover, they're required to prepare a Personal Data Processing Inventory and, if necessary, appoint a Data Protection Officer.

V. The Rise of Biometrics in Turkey's Private Sector: Real-world Applications and Implications

Biometric data is not confined to legal discussions. Its practical applications are widespread across various sectors in Turkey. The health sector, for instance, leverages biometric data, especially genetic data, for diagnostics, treatment planning, and tailoring medicine to individual needs. The utilization of biometric identification in hospitals and clinics for patient registration ensures accuracy and prevents medical mishaps.

In the realm of business, many firms have turned to biometric systems for employee monitoring, by trying to find ways to implement fingerprint or facial recognition technologies offer precise timekeeping and enhanced security. These efforts were subsequently blocked by Board decisions.

The technological domain has also embraced biometrics . The gadgets we use daily, be it smartphones, tablets, or computers, now come equipped with fingerprint scanners, facial recognition, and even voice recognition features. It's a testament to how intertwined biometrics has become with our daily lives.

Lastly, the security sector in Turkey holds biometrics in high regard. The unparalleled identification accuracy offered by biometrics is evident in high-security areas where access control is paramount. Even surveillance systems now employ facial recognition technology, emphasizing the role of biometrics in modern security protocols.

VI. Case Precedents Regarding Biometric Data

a. Biometric Data on the International Stage: The GLUKHIN v. Russia Case

In a landmark judgment, the European Court of Human Rights (ECHR) has ruled on the use of facial recognition technology and the rights to privacy and freedom of expression in the case of Glukhin v. Russia.

Glukhin held a solo demonstration in Moscow, which was captured and subsequently published on a public Telegram channel. The police discovered this content during routine internet surveillance. In their investigation, they made screenshots of the Telegram channel and employed facial recognition technology on them to identify Glukhin. Furthermore, after deducing the location in the video as a Moscow subway station, they garnered video recordings from CCTV surveillance cameras from that station and two others Glukhin passed through. Notably, these recordings were later utilized as evidence against him in administrative proceedings.

The court's decision (which can be accessed here) accentuated the importance of a transparent and robust legal framework for collecting, storing, and using biometric data. Therefore, the court determined that there had been a violation of both Article 8 (right to respect for private life) and Article 10 (freedom of expression) of the Convention. The decision underscored the necessity of detailed rules governing facial recognition measures and the imperative for robust safeguards against potential misuse and arbitrariness.

The court emphasized the implications of using such invasive technology, stating it could create a chilling effect on rights to freedom of expression and assembly. The court highlighted the importance of the right to respect for private life, as delineated in Article 8, and the freedom of expression, as set out in Article 10. In its judgment, the court established that the State's interference with Glukhin's rights did not align with a "pressing social need" and thus was not justified.

This case serves as a stark reminder of the inherent risks and challenges associated with biometric data, particularly when handled carelessly or without adequate justification.

b. Deciphering the Turkish Data Protection Board's Verdict on Biometric Data

The Turkish Data Protection Board, in its decision under reference number 2022/662, made a crucial determination concerning the collection and processing of biometric data, specifically focusing on hand geometry.

i. Background of the Decision:

The decision came into the spotlight due to a complaint lodged by an individual, asserting that a private company had collected their hand geometry data without obtaining explicit consent. The main contention was that such an act was not only invasive but also contravened the principles enshrined in the Personal Data Protection Law (PDPL).

ii. Board's Determination Regarding the Use of Biometric Data:

After thorough review and deliberation, the Board sided with the complainant's concerns. It was unequivocally established that the collection of hand geometry data, even if intended for security or authentication reasons, is categorized under biometric data. This categorization mandates the acquisition of explicit consent from the data subject prior to any data collection or processing. The private company in question was deemed to be in breach of the PDPL, and was accordingly sanctioned with a 100.000 TL administrative fine.

iii. Implications of the Decision:

This resolution by the Board serves as a reminder of the intricate nature of biometric data and the stringent safeguards surrounding its collection and processing. The decision higlights the pivotal role of informed consent and stands as a cautionary tale for organizations to meticulously align their data processing practices with the prescribed legal mandates.

Beyond the immediate implications, the Board's pronouncement sets a clear precedent for future cases and disputes surrounding biometric data. The decision elucidates the definition and scope of what is encompassed within biometric data, fortifying the rights of data subjects in the digital epoch. It beckons companies, both domestic and international operating in Turkey, to revisit and reassess their data collection methods, ensuring they are in strict congruence with the PDPL and other associated regulations.

VII. Concluding Thoughts on Biometric Data in Turkey

Turkey's journey in the realm of biometric data protection is a dynamic one. With a robust legal framework in the PDPL, the country has set clear boundaries on what's permissible and what's not. From defining personal and biometric data to highlighting the rights and obligations of stakeholders, the law covers it all.

Real-world applications of biometrics in sectors like health, technology, and security show its growing importance. However, with international cases like GLUKHIN v. Russia ringing alarm bells, it's evident that there's no room for complacency.

Turkey's Data Protection Board's decision further cements the country's stance on this matter, ensuring that biometric data processing aligns with the best practices and respects individual rights.

For entities, especially those in the private sector, it's crucial to stay updated, comply with the regulations, and prioritize data protection. The landscape might be intricate, but with awareness and adherence, navigating it becomes less daunting.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.